Privacy Policy

For the purposes of the Philippine Data Privacy Act of 2012 (Republic Act No. 10173) and its Implementing Rules and Regulations, the personal information controller responsible for your data is:

Morph Tech Inc. is committed to protecting and respecting your privacy. This Privacy Policy describes our practices regarding the personal data we collect through the StressAId platform in compliance with Republic Act No. 10173 (Data Privacy Act of 2012), its Implementing Rules and Regulations (IRR), and all relevant issuances of the National Privacy Commission (NPC).

We collect the following categories of personal information, each for a specific and legitimate purpose:

2.1 Account Information (collected at registration)

• Full name — from your Google account, used to personalize your dashboard and greetings
• Email address — from your Google account, used for account identification and transactional communications
• Profile photograph — from your Google account, displayed in your profile and sidebar

2.2 Onboarding Information (voluntarily provided)

• Age range — used to provide age-appropriate wellness content
• Industry / occupation — used to tailor stress management recommendations
• City / province — used for anonymized regional wellness statistics

2.3 Wellness Data (generated through platform use)

• Assessment responses and scores — your answers to stress self-evaluation questionnaires
• Mood logs — daily mood entries including selected mood level and optional notes
• Journal entries — private written reflections and AI-prompted responses
• AI conversation transcripts — messages exchanged with the AI Wellness Companion
• Breathing exercise sessions — technique used, duration, and completion status
• Game activity — scores and session data from wellness games
• Video viewing progress — which videos were watched, watch duration, and completion percentage

2.4 Payment Data

• Subscription status — plan type, start date, expiry date, and payment status
• Transaction reference numbers — PayMongo checkout and payment IDs
• We do NOT store credit card numbers, CVV codes, bank account numbers, or e-wallet credentials. All payment processing is handled by PayMongo, a BSP-licensed payment facilitator.

2.5 Technical & Usage Data (automatically collected)

• Analytics events — page views, feature usage, button clicks (anonymized)
• Session metadata — login timestamps, active role, last active date
• Device information — browser type, operating system (from user-agent string, not fingerprinted)

2.6 What We Do NOT Collect

• We do not collect biometric data (fingerprints, face scans, voice prints)
• We do not collect location data (GPS coordinates)
• We do not collect contacts, call logs, or messages from your device
• We do not use cookies for advertising or third-party tracking
• We do not collect government-issued identification numbers

We process your personal data under the following lawful bases as defined by Section 12 and Section 13 of RA 10173:

You may withdraw your consent at any time by contacting our Data Protection Officer at dpo@stressaidph.com. Withdrawal of consent does not affect the lawfulness of processing performed prior to withdrawal.

We use your personal data for the following purposes, and no others:

• Service Delivery — To provide personalized stress assessments, AI wellness guidance, mood tracking, journaling, breathing exercises, and coaching video access
• Wellness Tracking — To generate your personal wellness history, trends, streaks, and progress reports visible only to you
• AI Personalization — To provide contextually relevant responses from the AI Wellness Companion based on your previous interactions and Coach Ricky's content (via Retrieval-Augmented Generation)
• Organizational Reports — If linked to an organization: to generate only anonymized, aggregated group wellness statistics. Individual data is never included.
• Payment Processing — To verify subscription status and manage access to premium features
• Communication — To send transactional emails (subscription confirmations, payment receipts, security alerts) via Resend. We do not send marketing emails.
• Safety — To detect crisis keywords in AI conversations and display emergency resources (Philippine crisis hotlines)
• Platform Improvement — To analyze anonymized usage patterns and improve features, fix bugs, and enhance performance

We do not sell, rent, lease, or trade your personal data to any third party. Period.

Your data may be processed by the following third-party service providers acting as personal information processors under our instruction, pursuant to data processing agreements that require them to protect your data to standards no less than those described in this policy:

Other disclosures. We may disclose your personal data if required to do so by law, regulation, legal process, or governmental request under Philippine law, including valid subpoenas, court orders, or lawful requests from Philippine regulatory agencies such as the National Privacy Commission (NPC).

We implement organizational, physical, and technical security measures to protect your personal data against unauthorized access, accidental loss, alteration, or destruction, in accordance with Section 20 of RA 10173:

Technical Measures

• Encryption in Transit — All data transmitted between your browser and our servers is encrypted using TLS 1.3 (HTTPS)
• Encryption at Rest — Database and storage are encrypted using AES-256 encryption at the infrastructure level
• Row-Level Security (RLS) — Every database table has RLS policies enforcing that users can only access their own data. This is enforced at the PostgreSQL database engine level, not application code, making it impossible to bypass even in the event of a code vulnerability.
• Server-Side AI Processing — All AI conversations are processed through secure Edge Functions (server-side). No AI model runs in your browser. API keys never leave the server.
• OAuth 2.0 with PKCE — Authentication uses Proof Key for Code Exchange flow, preventing authorization code interception attacks
• No Password Storage — We use Google OAuth exclusively. No user passwords are ever stored in our systems.
• Content Security Policy (CSP) — Strict CSP headers prevent cross-site scripting (XSS) and data injection attacks
• DevTools Protection — Client-side integrity monitoring detects and logs unauthorized inspection attempts

Organizational Measures

• Access Control — Only authorized system administrators can access user data, and only through role-gated dashboards with full audit logging
• Principle of Least Privilege — Service accounts and API keys are scoped to minimum required permissions
• Security Incident Response — We maintain a documented incident response plan for data breach scenarios in compliance with NPC Circular 16-03

StressAId uses browser localStorage (not cookies) for the following essential functions:

• Authentication session — Managed by Supabase Auth; stores your encrypted session token for seamless login
• Profile cache — Stores your name, email, role, and photo locally for 5 minutes to reduce database queries and improve page load speed. Verified with SHA-256 integrity hash.
• Active role — Remembers which dashboard you last used (user, coach, org admin, admin) for navigation
• Theme preference — Stores your dark/light mode preference
• Last seen notifications — Tracks which notifications you have already read
• What's New popup — Records the last changelog timestamp you viewed to avoid showing repeat popups

We do not use:

• Third-party tracking cookies
• Advertising cookies or pixels
• Social media tracking scripts
• Browser fingerprinting techniques
• Any analytics services beyond our own first-party event tracking

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy, or as required by applicable law:

Upon account deletion or expiry of the retention period, we will securely delete or anonymize your personal data within thirty (30) days, except where retention is required by Philippine law (e.g., BIR record-keeping requirements under the National Internal Revenue Code).

As a data subject under the Philippine Data Privacy Act, you have the following rights. We will respond to all legitimate requests within fifteen (15) days of verification of your identity:

• Right to Be Informed (Section 16(a)) — You have the right to be informed of the collection and processing of your personal data, including the purpose, scope, and method of processing. This Privacy Policy fulfills this obligation.
• Right to Access (Section 16(c)) — You have the right to request access to your personal data, including the sources, recipients, manner of processing, and any automated decision-making applied to your data.
• Right to Rectification (Section 16(d)) — You have the right to correct any inaccurate or incomplete personal data. You can update most of your profile information directly through the StressAId dashboard.
• Right to Erasure or Blocking (Section 16(e)) — You have the right to request deletion or blocking of your personal data if it is incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes, or no longer necessary for the purpose for which it was collected.
• Right to Data Portability (Section 18) — You have the right to obtain a copy of your personal data in a structured, commonly used, and machine-readable format (JSON or CSV).
• Right to Object (Section 16(c)) — You have the right to object to the processing of your personal data, including processing for direct marketing, automated processing, or profiling.
• Right to Lodge a Complaint — You have the right to lodge a complaint with the National Privacy Commission (NPC) if you believe your data privacy rights have been violated.

To exercise any of these rights, contact our Data Protection Officer:

When your account is linked to an organization through StressAId:

• Individual data is NEVER shared. Your employer, school, or organization administrator cannot see your personal mood logs, journal entries, assessment answers, AI conversations, or any other personal wellness data.
• Only aggregated statistics. Organization reports display only group-level anonymized metrics such as: average stress levels, participation rates, feature engagement percentages, and trend data — computed across groups with a minimum threshold to prevent re-identification.
• Database enforcement. Data isolation is enforced by PostgreSQL Row-Level Security policies at the database engine level. Even if the application code were compromised, RLS would prevent unauthorized data access.
• You can leave. You may unlink your account from an organization at any time. Your personal data will be removed from all future aggregate calculations for that organization within 24 hours.

When you use the AI Wellness Companion, your messages are processed as follows:

• Server-side processing. Your messages are sent to our secure Edge Functions (server-side), which then call the Anthropic Claude API. The AI model never runs in your browser.
• No persistent storage by AI providers. Anthropic processes your messages in real-time and does not retain conversation data after processing, per their data processing terms.
• Conversation storage. Your AI conversation history is stored in our Supabase database (encrypted at rest) so you can review past conversations. You can delete individual sessions at any time.
• No training on your data. Your conversations are not used to train, fine-tune, or improve AI models. They are processed for the sole purpose of generating your response.
• Content safety. The AI monitors conversations for crisis keywords (e.g., self-harm, suicidal ideation) and will display Philippine crisis hotline resources when detected. This is a safety feature, not surveillance — no human reviews these alerts unless you explicitly request help.

Some of our third-party service providers process data outside the Philippines. In accordance with Section 21 of RA 10173 and NPC Circular 2022-01 on cross-border data transfers:

• Supabase — Infrastructure hosted in Singapore and United States
• Google — Authentication infrastructure in the United States
• Anthropic — AI processing in the United States
• OpenAI — Transcription processing in the United States
• Resend — Email delivery in the United States
• Bunny.net — Video CDN in the European Union

All cross-border transfers are subject to appropriate safeguards, including data processing agreements that require the receiving party to protect your data with security measures at least equivalent to those required under RA 10173. These transfers are necessary for the performance of our contract with you (providing the StressAId service) as permitted under Section 21(a) of the Act.

PayMongo, our payment processor, processes all payment data within the Philippines.

StressAId is designed for users aged eighteen (18) and above. We do not knowingly collect personal data from children under thirteen (13).

• Users aged 13-17 may access StressAId only through institutional deployments (schools or organizations) with verified parental or guardian consent, in compliance with RA 10173 Section 12(a) and RA 7610 (Special Protection of Children).
• For institutional deployments involving minors, the deploying organization bears responsibility for obtaining and maintaining parental consent records.
• If we discover that we have collected personal data from a child under 13 without parental consent, we will delete that data promptly upon discovery.

Parents or guardians who believe their child's data has been collected without consent may contact us at privacy@stressaidph.com.

In the event of a personal data breach that is likely to cause serious harm to affected data subjects, we will:

• Notify the National Privacy Commission (NPC) within seventy-two (72) hours of becoming aware of the breach, in compliance with NPC Circular 16-03
• Notify affected data subjects within seventy-two (72) hours of becoming aware of the breach, if the breach involves sensitive personal information or is likely to result in serious harm
• Document the breach details, including nature, cause, scope, remedial measures taken, and steps to prevent recurrence
• Take immediate steps to contain the breach and mitigate its effects

Notification to data subjects will include: the nature of the breach, the personal data potentially involved, measures taken to address the breach, and recommended actions you can take to protect yourself.

We may update this Privacy Policy from time to time. When we make material changes:

• We will update the "Effective Date" at the top of this page
• We will notify you through an in-app notification or email at least fifteen (15) days before the changes take effect
• If the changes involve a new purpose for processing your sensitive personal information, we will obtain your fresh consent before applying the change

Your continued use of StressAId after the effective date of a revised policy constitutes your acceptance of the changes, except where fresh consent is required for sensitive personal information.

For any questions, requests, or complaints regarding this Privacy Policy or our data practices: